b'Audit Report\n\n\n\n\nOIG-11-046\nManagement Letter for the Audit of the Office of the Comptroller\nof the Currency\xe2\x80\x99s Fiscal Years 2010 and 2009 Financial\nStatements\n\n\nDecember 07, 2010\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\nThis report has been reviewed for public dissemination by the Office of\nCounsel to the Inspector General. Information on pages 2 through 4 requiring\nprotection from public dissemination has been redacted from this report in\naccordance with Exemption 2 of the Freedom of Information Act,\n5 U.S.C. Section 552.\n\x0c                                      DEPARTMENT OF THE TREASURY\n                                            W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                            December 07, 2010\n\n\n\n            MEMORANDUM FOR JOHN WALSH\n                           ACTING COMPTROLLER OF THE CURRENCY\n\n            FROM:                  Michael Fitzgerald\n                                   Director, Financial Audits\n\n            SUBJECT:               Management Letter for the Audit of the Office of the\n                                   Comptroller of the Currency\xe2\x80\x99s Fiscal Years 2010 and 2009\n                                   Financial Statements\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Office of the Comptroller of the Currency\xe2\x80\x99s (OCC) Fiscal Years 2010\n            and 2009 financial statements. Under a contract monitored by the Office of\n            Inspector General, GKA, P.C. (GKA), an independent certified public accounting\n            firm, performed an audit of the financial statements of OCC as of September 30,\n            2010 and 2009 and for the years then ended. The contract required that the audit\n            be performed in accordance with generally accepted government auditing\n            standards; applicable provisions of Office of Management and Budget Bulletin No.\n            07-04, Audit Requirements for Federal Financial Statements, as amended; and the\n            GAO/PCIE Financial Audit Manual.\n\n            As part of its audit, GKA issued and is responsible for the accompanying\n            management letter that discusses certain matters involving internal control over\n            financial reporting and its operation that were identified during the audit, but were\n            not required to be included in the auditor\xe2\x80\x99s reports.\n\n            In connection with the contract, we reviewed GKA\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no\n            instances where GKA did not comply, in all material respects, with generally\n            accepted government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789 or a member\n            of your staff may contact Ade Bankole, Manager, Financial Audits at\n            (202) 927-5329.\n\n            Attachment\n\x0c                 gka, P.C.                                       Certified Public Accountants | Management Consultants\n\n\n\n\n                 OFFICE OF THE COMPTROLLER OF THE CURRENCY\n                             MANAGEMENT LETTER\n                                FISCAL YEAR 2010\n\n\n                                             October 29, 2010\n\n\n\n\n                                                         Member of the American Institute of Certified Public Accountants\n\n1015 18th Street, NW \xc2\xb7 Suite 200 \xc2\xb7 Washington, DC 20036 \xc2\xb7 Phone: 202-857-1777 \xc2\xb7 Fax: 202-857-1778 \xc2\xb7 WWW.gkacpa.com\n\x0cgka, P.C.                                                     Certified Public Accountants | Management Consultants\n\n\n\n1015 18th Street, NW\n      Suite 200           Inspector General, Department of the Treasury, and\n  Washington, DC          the Comptroller of the Currency:\n        20036\n                          We have audited the balance sheet as of September 30, 2010 and the related\n  Phone: 202-857-1777     statements of net cost, changes in net position, and budgetary resources for the\n   Fax: 202-857-1778\nWebsite: www.gkacpa.com   year then ended, hereinafter referred to as \xe2\x80\x9cfinancial statements\xe2\x80\x9d, of the Office\n                          of the Comptroller of the Currency (OCC) and have issued an unqualified\n                          opinion thereon dated October 29, 2010. In planning and performing our audit\n                          of the financial statements of the OCC, we considered its internal control over\n                          financial reporting in order to determine our auditing procedures for the\n                          purpose of expressing our opinion on the financial statements and not to\n                          provide assurance on internal control. We have not considered the internal\n                          control since the date of our report.\n\n                          During our audit we noted certain matters involving OCC\xe2\x80\x99s information\n                          technology general controls that are presented in this letter for your\n                          consideration. The comments and recommendations, all of which have been\n                          discussed with the appropriate members of OCC management, are intended to\n                          improve OCC\xe2\x80\x99s information technology general controls or result in other\n                          operating efficiencies.\n\n                          OCC management\xe2\x80\x99s responses to our comments and recommendations have\n                          not been subjected to the auditing procedures applied in the audit of the\n                          financial statements and, accordingly, we do not express an opinion or provide\n                          any form of assurance on the appropriateness of the responses or the\n                          effectiveness of any corrective action described therein.\n\n                          We appreciate the cooperation and courtesies extended to us during the audit.\n                          We will be pleased to meet with you or your staff, at your convenience, to\n                          discuss our report or furnish any additional information you may require.\n\n\n\n\n                          October 29, 2010\n\n\n\n\n                                                               Member of the American Institute of Certified Public Accountants\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2010\n\nImprovements Needed in Information Technology General Controls over OCC\xe2\x80\x99s Financial\nSystems (Repeat Condition).\n\nIn our fiscal year (FY) 2009 audit, we identified weaknesses in the areas of entity-wide security\nmanagement and contingency planning, access controls, and configuration management. We\nreported these weaknesses to management in a management letter. In FY 2010, OCC made\nsignificant progress in resolving these weaknesses, as evidenced in OCC\xe2\x80\x99s Plan of Actions and\nMilestones (POA&M) and our verification of correction of many of the prior year issues. Two\n(2) out of five (5) issues identified in the prior years remain partially unresolved. There were no\nnew findings for FY 2010.\n\nThe weaknesses noted in OCC\xe2\x80\x99s IT general controls are noted and discussed below.\n\n(A) Security Management and Contingency Planning\n\nAn entity wide information security management program is the foundation of a security control\nstructure and a reflection of senior management\xe2\x80\x99s commitment to addressing security risks.\n\nContingency planning safeguards against losing the capacity to process, retrieve, and protect\ninformation maintained electronically, which significantly affect an agency\xe2\x80\x99s ability to\naccomplish its mission.\n\n1. There are weaknesses in the OCC\xe2\x80\x99s process for updating its Certification and\n   Accreditation (C&A) documentation.\n\nAs noted during our prior year audit, there are weaknesses in the OCC\xe2\x80\x99s process for updating its\nCertification and Accreditation (C&A) documentation. Specifically, we noted the following:\n   \xef\x82\xb7   The Network Infrastructure General Support System (NI GSS) Information Technology\n       Recovery Plan (ITRP) dated July 21, 2008 has not been updated to reflect the current NI\n       GSS environment. Specifically, we noted the following:\n           o There is no evidence that the NI GSS ITRP has been updated to reflect the lessons\n             learned from the recent ITRP disaster recovery tests that was performed in August\n             2009.\n           o The NI GSS ITRP, July 21, 2008, Pg. 17, paragraph 1, states that planned\n             migration to                                        is planned for 2007.\n             However, the          migration has been completed and the ITRP has not\n             been updated.\n           o NI GSS ITRP states that, pg. 17 states, \xe2\x80\x9cIBM Compatible\n                          Mainframe running             Operating System is planned for\n             decommission by 2008\xe2\x80\x9d. However, it is not clear from our review of the ITRP if\n             this has occurred.\n\n\n\n                                                2\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2010\n\n          o NI GSS ITRP: Section 6.32: Pg. 74 states that, \xe2\x80\x9can updated copy of the ITRP is\n            distributed quarterly to key personnel including 2 Resident Technical Support\n            Specialist in the Southern and Western Districts\xe2\x80\x9d. However, we could not confirm\n            that this is being done.\n\n   \xef\x82\xb7   The $MART IT Contingency Plan (ITCP or CP) has not been updated to reflect changes\n       to the $MART operating environment. Although the $MART critical applications were\n       listed, one application the                   does not reflect the current $MART\n       computing environment.                    was upgraded to                       in\n       FY 2009.\n\n       While the $MART ITCP was updated to incorporate reference to                             in\n       Section 6 (System Description), it still had outdated references to                  in the\n       context of references to team representation (page 18, table 7-3), recovery goals (page 25,\n       table 15-1), application support team (page A-1, table A-3), required applications (page I-\n       4, table I-2), and strategic recovery objectives (page I-20, table I-11). Once notified of\n       this issue, OCC management updated the $MART ITCP before the end of our field work.\n       Additionally, we noted that OCC was in the process of reviewing and updating the NI\n       GSS ITRP.\n\nThe OCC Master Security Controls Catalog, states the following:\n       \xe2\x80\x9cThe OCC reviews the contingency plan for information systems (annually) and revises\n       the plan to address system/organizational changes or problems encountered during plan\n       implementation, execution, or testing.\xe2\x80\x9d\n\nOver time, policies and procedures may become inadequate because of changes in threats,\nchanges in operations or deterioration in the degree of compliance. Failure to update\ncontingency plans increases the probability that OCC management may not be aware of how\nsystem changes impact the OCC\xe2\x80\x99s ability to recover from disaster situations.\n\nRecommendations:\nWe recommend that OCC management:\n\n(1) Implement a process to ensure that C&A documentation is updated timely in accordance with\n    OCC policy, and approvals are documented on file.\n\n(2) Ensure that the information contained in the C&A documentation is accurate and reflects the\n    current system operating and organizational environment.\n\nManagement\xe2\x80\x99s Response:\nManagement concurs with the finding and recommendations. IRM will ensure timely and\naccurate updates to C&A documentation by implementing a documented process to review the\nstatus of C&A documentation in TAF (Trusted Agent FISMA). Quarterly artifacts reports will be\n\n\n                                                3\n\x0c                      Office of the Comptroller of the Currency\n                  Management Letter Comments and Recommendations\n                           Year Ended September 30, 2010\n\ngenerated from TAF and reviewed by the C&A team to ensure all approved versions of the\ndocumentation are posted in TAF.\n\nAs described below, the OCC has made or will be making corrections to the two documents\nnoted by the auditors, NI GSS ITRP and $MART CP.\n\n   Issues with the NI GSS ITRP:\n   a. The NI GSS ITRP is not currently up to date due to the departure of the ITRP Manager.\n       The NI GSS ITRP is currently being updated. The updated version will include lessons\n       learned from this years test. Scheduled completion date: October 31, 2010.\n\n   b. The planned migration to the                                  has been completed. The\n      updated ITRP will note the completion of this upgrade and include ITRP-related SAN\n      information.\n\n   c. An OCC management decision was made to delay the decommissioning of the IBM\n      Compatible                            Mainframe running             Operating System.\n      The updated ITRP will note the current operational status of the mainframe and the\n      updated ITRP will include other mainframe ITRP information.\n\n   d. The ITRP has not been distributed quarterly to key personnel including 2 Resident\n      Technical Support Specialist in the Southern and Western Districts due to the departure\n      of the ITRP Manager. The ITRP will be updated annually and will be distributed\n      quarterly to key personnel including 2 Resident Technical Support Specialist in the\n      Southern and Western Districts.\n\n   Issues with the $MART CP:\n   The C&A program approved a new ITCP template in January 2010. As recommended by our\n   C&A vendor, this template combined the Business Impact Analysis (BIA) into the ITCP. As\n   part of the $MART 2010 Recertification, the $MART ITCP was updated in April 2010\n   (Version 4.01, dated 4/21/2010) and has been uploaded to the Audit Fix SharePoint site. The\n   BIA is included as Appendix I in the ITCP. The latest information on the $MART\n   environment is included in section 6, General System Description/Purpose, page 8 and states\n   the use of                            .\n\n\n\n\n                                              4\n\x0c                       Office of the Comptroller of the Currency\n                   Management Letter Comments and Recommendations\n                            Year Ended September 30, 2010\n\n(B) Configuration Management\n\nConfiguration management policies, plans, and procedures should be developed, documented,\nand implemented at the entity wide, system, and application levels to ensure an effective\nconfiguration management process.\n\n2. Users have administrative rights to install personal or public domain software on their\n   desktops.\n\nAs noted during the prior year audit, although a process for removing and detecting unauthorized\nsoftware is implemented as compensating controls, the controls do not fully mitigate the\nweakness. Users have administrative rights to install personal or public domain software on their\ndesktops.\n\nThe OCC is in the process of implementing a software tool to remediate this weakness. The\nBeyond Trust (BT) Implementation project is currently in testing and is scheduled for complete\nimplementation by April 2011.\n\nNIST Special Publication 800-53, Recommended Security Controls for Federal Information\nSystems, User Installed Software states:\n\n   \xe2\x80\x9cControl: The organization enforces explicit rules governing the installation of software by\n   users.\n\n   Supplemental Guidance: If provided the necessary privileges, users have the ability to\n   download and install software. The organization identifies what types of software downloads\n   and installations are permitted (e.g., updates and security patches to existing software) and\n   what types of downloads and installations are prohibited (e.g., software that is free only for\n   personal, not government, use). The organization also restricts the use of install-on-demand\n   software.\xe2\x80\x9d\n\nThe use of unapproved software by employees could negatively impact processing operations,\nintroduce harmful viruses, and/or cause the loss of data.\n\nRecommendation:\nWe recommend that OCC management continue with its plans to implement a software solution\nto restrict users from installing and executing unauthorized software on OCC workstations.\n\nManagement\xe2\x80\x99s Response:\nManagement concurs with the finding and recommendation. The OCC has chosen to address\nthis issue by using Beyond Trust application control software (ACS) to control elevation of\nprivileges.\n\n\n\n                                               5\n\x0c                        Office of the Comptroller of the Currency\n                    Management Letter Comments and Recommendations\n                             Year Ended September 30, 2010\n\nThe present OCC user desktop configuration allows local administrator privileges for all users.\nThis means that users are not blocked from installing or downloading unauthorized or potentially\nmalicious software which can harm computers and networks. OCC is currently implementing an\nindustry-proven COTS solution, called Beyond Trust Privilege Manager, to provide minimally-\nneeded privileges for about 95% of the typical users to fully execute their mission applications.\nThe Beyond Trust tactic will establish a control method and an approval process to prevent these\nusers from downloading, installing, or executing un-approved software.\n\nAt the same time, Beyond Trust will allow the remaining 5% of the Designated IT Specialists\n(e.g. Administrators, System Developers, Trained Technical Support Personnel, and Computer\nSecurity Analysts) to have full administrative rights to perform their official duties in supporting\nuser desktop configurations or protecting application infrastructure.\n\nBeyondTrust is currently undergoing two rounds of testing in the OCC Enterprise Testing Lab\nfrom August 24, 2010 to October 24, 2010. The control application is being readied for field\ntesting among a group of about 40 pilot users starting in mid-October 2010. If pilot testing is\nsuccessful, full implementation of Beyond Trust will expand by phases for all OCC users in\naccordance with the following schedule estimates:\n\n   Southern District:         November 15, 2010 to December 15, 2010\n   Western District:          December 15, 2010 to January 15, 2011\n   Central District:          January 15, 2011 to February 15, 2011\n   Northern District:         February 15, 2011 to March 15, 2011\n   HQ:                        March 15, 2011 to April 15, 2011\n\n\n\n\n                                                 6\n\x0c'